[strongSwan] Please point me in the right direction to encapsulate tap interface layer 2 traffic in a tunnel
flyingrhino at orcon.net.nz
Wed Apr 11 05:04:28 CEST 2018
I am trying to connect a servers-network to several remote
clients-networks using ipsec/strongswan.
Normally I could do that easily at Layer 3 on my own without troubling
However, I need to pass L2 packets from side to side - this includes ARP
- because the machines at the initiator left side are being given IP
addresses from a DHCP server located at the responder left side.
- On the initiator machine I have a tap interface that's bridged with
eth0 that connects to a physical switch. The DHCP clients connect to
I have several of these networks.
Each of these networks is a road-warrior style setup - the network can
pop up anywhere in the world.
- On the responder machine I also have a tap interface that's bridged
with eth0 that connects to a switch. The DHCP server and other servers
connect to this switch.
I must assign IPs to the initiator-side-clients from the responder-side
DHCP server - I can't have DHCP servers on the remote networks at the
clients end (where the initiator lives).
Is there a way to tell strongswan/ipsec that it should take all the
traffic from the tap interface and push it through the tunnel to make it
appear at the other side tap interface?
If needed - I don't mind setting up multiple tap interfaces on the
responder - each serving one initiator.
Can you please point me in the right direction?
Do you have an example similar to my scenario that I can look at to
Thank you very much.
A long time openvpn sysadmin now turned strongswan sysadmin!
More information about the Users